Hacking Trying to rebuild flash on a bricked switch, issues with keys !

sylver78 · May 6, 2020

Hello,
I've got a Switch that is not booting, I have very few info about it, it seems to be the son of my friend (who gave me this switch) who played with ChoiDuJourNX and killed the Switch ! So after some investigation, I found that the flash content seems to be all f*cked up !
Of course I have no flash backup so the easy way is not an option !
Before doing anything, I've done a backup of the corrupted flash in case I make things worse (if it's even possible).
Now what I've found is the following :

Last firmware that ran on this switch was 9.x (12 burnt fuses)

Lockpick_rcm is not happy about the keyblobs :

The content of the prod.keys if missing quite some stuff :

There are some important keys missing like master_key_xx ...

The biskeydump payload give me some key that seems different from the one that Lockpick get ...
(edit : I tried to get biskeys using fuse_cached.bin and tsec_keys.bin using the website and I gives the same keys as biskeydump)

I tried to use "./linkle keygen -k ./prod.keys" to get some correct keyblob to try to inject them again in the boot0 partition,
but the application seems unable to generate them due to the lack of some important keys in prod.keys file.

So now I'm not sure what to do to make some progress, for now I'm quite blocked because I failed in getting some keys that seems to be needed ...
Any help is more than welcome

sylver78 · May 10, 2020

Ok I've finally found what was my problem and it had nothing to do with keys …

I was using my SXOS dongle and boot application to run lockpick payload and it was what was causing the issue !

I was doing like that because for some reason I was not able to inject payload from my computer on this switch, but today I’ve found that using a shorter usb cable was allowing me to inject payload on this switch, and injecting lockpick_rcm payload from my computer makes thing going way better !

But my Switch is still not booting (Nintendo logo then nothing), so I have still some work on it, but at least it’s not key related !

linuxares · May 10, 2020

sylver78 said:
Ok I've finally found what was my problem and it had nothing to do with keys …

I was using my SXOS dongle and boot application to run lockpick payload and it was what was causing the issue !

I was doing like that because for some reason I was not able to inject payload from my computer on this switch, but today I’ve found that using a shorter usb cable was allowing me to inject payload on this switch, and injecting lockpick_rcm payload from my computer makes thing going way better !

But my Switch is still not booting (Nintendo logo then nothing), so I have still some work on it, but at least it’s not key related !

Actually being stuck on the Nintendo Logo is a broken nand that can actually be issues with the keys. Since if you try to sign with invalid keys. it will just get stuck there.

sylver78 · May 10, 2020

Actually I’ve already tried to check my partitions using HacDiskMount and different BISKeys I retrieved with lockpick_rcm, and everything is opening like a charm, checking the entropy gives me all OK, and mounting the SAFE/SYSTEM and USER partitions is allowing me to see files and folders in each partition (beside SAFE partition which is empty but seems to be normal). I also tried replacing everything from a 5.x firmware (by generating everything using ChoiDuJour pc application) with no success …

I have not much background on this console and one possibility is that the Prodinfo flash partition is just fake (even if correctly encrypted with BISKEY_01), can anyone confirm that the broken prodinfo symptom is having a Nintendo logo and nothing after ?

lpoolm · May 12, 2020

any progress on this?
I have a similar issue with the keyblobs corrupt, not sure how important these are!

https://gbatemp.net/threads/any-ide...-when-my-bis-keys-say-keyblob-corrupt.564712/

LIY2012 · May 12, 2020

sylver78 said:
Actually I’ve already tried to check my partitions using HacDiskMount and different BISKeys I retrieved with lockpick_rcm, and everything is opening like a charm, checking the entropy gives me all OK, and mounting the SAFE/SYSTEM and USER partitions is allowing me to see files and folders in each partition (beside SAFE partition which is empty but seems to be normal). I also tried replacing everything from a 5.x firmware (by generating everything using ChoiDuJour pc application) with no success …

I have not much background on this console and one possibility is that the Prodinfo flash partition is just fake (even if correctly encrypted with BISKEY_01), can anyone confirm that the broken prodinfo symptom is having a Nintendo logo and nothing after ?

I can confirm that a bad prodinfo will hang on the 2nd logo. The one with the picture of the switch controllers that says Nintendo Switch.

If you have the BISKEYs, it should be simple enough to check if the prodinfo is real or not. Just decrypt it and dump it with HacDiskMount and them check it in HxD to see that the serial number at offset 0x0250 matches the one on the sticker on the console.

sylver78 · May 12, 2020

lpoolm said:
any progress on this?
I have a similar issue with the keyblobs corrupt, not sure how important these are!
https://gbatemp.net/threads/any-ide...-when-my-bis-keys-say-keyblob-corrupt.564712/

My keyblob issue was a false report from lockpick because I was starting its payload from the sxos boot tool instead of directly injecting from a computer. My keyblob are correct since the beginning !

LIY2012 said:
I can confirm that a bad prodinfo will hang on the 2nd logo. The one with the picture of the switch controllers that says Nintendo Switch.

If you have the BISKEYs, it should be simple enough to check if the prodinfo is real or not. Just decrypt it and dump it with HacDiskMount and them check it in HxD to see that the serial number at offset 0x0250 matches the one on the sticker on the console.

@LIY2012 : I’ve already had a look at the prod info content, it seems valid , there is a serial number (XAJ40002539xxx) but unfortunately the sticker on the switch is gone and I don’t have the box to check on it …

What do you mean by “I can confirm that a bad prodinfo will hang on the 2nd logo” ? Does it show the 2nd logo (the one with the switch controllers) or does it crash before ? Because in my case it crash after showing the first logo (Nintendo), I don’t see the 2nd one !

I’ve made so other operations : as this switch has 12 fuses burnt, I update my working switch to firmware 9.2.0 (which is the one that burns 12 fuses), From this console, I retrieved the Boot0 (Everything before 0x180000), Boot1 and :
- BCPKG2-1-Normal-Main.bin
- BCPKG2-2-Normal-Sub.bin
- BCPKG2-3-SafeMode-Main.bin
- BCPKG2-4-SafeMode-Sub.bin

I also got the content of SAFE (empty actually)/SYSTEM/USER partitions by mounting them with correct biskeys .

I reinjected everything in the not working switch (only first 0x180000 bytes of Boot0 to keep valid the blobkeys), boot1, all BCPKG2-x partitions and I mounted SAFE/SYSTEM/USER to delete content and replace it with the content extracted from working switch.

After that, I now see the Nintendo logo when booting normally but it stays black after that.

When trying to boot with kosmos it seems to start correctly according to logs :

Found pkg1 (’201910…”) (= 9.2.0)
Identified pkg1 and keyblob 10
Found FSS0, Atmosphere 0.12.0-7BC0250C
Max HOS supported : 10.0.1
Unpacking and loading components..
Loaded config, pkg1 and keyblob
Generated keys
Loaded warmboot and sermon
Read pkg2
Parsed ini1
Patching kernel
Patching kips
Rebuilt & loaded pkg2

Booting…

Then it goes black (not even the Nintendo logo).

If I ask Atmosphere to load OFW, it shows the same lines I think, then the Nintendo logo then it goes black.

One thing that I’ve found and that I’m not understanding is regarding the keyblob 10.

Actually I’ve found that in BOOT0, at address 0x450, there is a keyblob that is copied here (this is what I have on my working switch). I’ve found a post here referring to this address as the “firmware” keyblod, but I’m not sure how it is used but the system. This keyblob is repeated at several places in the BOOT0 image (0x4450, 0x8450, 0xC450 and the address above 0x180000 that may correspond to the Keyblob 10)

As I got the boot0 image from a working switch, the keyblob value in the boot0 was a keyblob value from this switch, so what I’ve done is getting the keyblob 10 from my not working switch and I copied it at the places where this keyblob is repeated (0x4450, 0x8450, 0xC450) and I flashed it in the failing switch, no more success !

I’ve found also that the boot0 generated by ChoiDuJour PC (I did that when trying to install a pre 6.2.0 package to try to make this switch work) does not includes keyblob at these addresses, it’s just filled with 0. So I tried to replace all these places with keyblob 10 with 0 (exceptingpting the actual keyblob 10 at address 0x180xxx of course). Not much success !

Now I’m out of ideas, and I’m really starting to thing that this prodinfo partition is not the good one, but I have no proof ! From what I’ve seen ( https://switchbrew.org/wiki/Calibration ), there is a sha256 hash, I’ll check on which data it is calculated to check if content is valid …

LIY2012 · May 12, 2020

sylver78 said:
My keyblob issue was a false report from lockpick because I was starting its payload from the sxos boot tool instead of directly injecting from a computer. My keyblob are correct since the beginning !

@LIY2012 : I’ve already had a look at the prod info content, it seems valid , there is a serial number (XAJ40002539xxx) but unfortunately the sticker on the switch is gone and I don’t have the box to check on it …

What do you mean by “I can confirm that a bad prodinfo will hang on the 2nd logo” ? Does it show the 2nd logo (the one with the switch controllers) or does it crash before ? Because in my case it crash after showing the first logo (Nintendo), I don’t see the 2nd one !

I’ve made so other operations : as this switch has 12 fuses burnt, I update my working switch to firmware 9.2.0 (which is the one that burns 12 fuses), From this console, I retrieved the Boot0 (Everything before 0x180000), Boot1 and :
- BCPKG2-1-Normal-Main.bin
- BCPKG2-2-Normal-Sub.bin
- BCPKG2-3-SafeMode-Main.bin
- BCPKG2-4-SafeMode-Sub.bin

I also got the content of SAFE (empty actually)/SYSTEM/USER partitions by mounting them with correct biskeys .

I reinjected everything in the not working switch (only first 0x180000 bytes of Boot0 to keep valid the blobkeys), boot1, all BCPKG2-x partitions and I mounted SAFE/SYSTEM/USER to delete content and replace it with the content extracted from working switch.

After that, I now see the Nintendo logo when booting normally but it stays black after that.

When trying to boot with kosmos it seems to start correctly according to logs :

Found pkg1 (’201910…”) (= 9.2.0)
Identified pkg1 and keyblob 10
Found FSS0, Atmosphere 0.12.0-7BC0250C
Max HOS supported : 10.0.1
Unpacking and loading components..
Loaded config, pkg1 and keyblob
Generated keys
Loaded warmboot and sermon
Read pkg2
Parsed ini1
Patching kernel
Patching kips
Rebuilt & loaded pkg2

Booting…

Then it goes black (not even the Nintendo logo).

If I ask Atmosphere to load OFW, it shows the same lines I think, then the Nintendo logo then it goes black.

One thing that I’ve found and that I’m not understanding is regarding the keyblob 10.

Actually I’ve found that in BOOT0, at address 0x450, there is a keyblob that is copied here (this is what I have on my working switch). I’ve found a post here referring to this address as the “firmware” keyblod, but I’m not sure how it is used but the system. This keyblob is repeated at several places in the BOOT0 image (0x4450, 0x8450, 0xC450 and the address above 0x180000 that may correspond to the Keyblob 10)

As I got the boot0 image from a working switch, the keyblob value in the boot0 was a keyblob value from this switch, so what I’ve done is getting the keyblob 10 from my not working switch and I copied it at the places where this keyblob is repeated (0x4450, 0x8450, 0xC450) and I flashed it in the failing switch, no more success !

I’ve found also that the boot0 generated by ChoiDuJour PC (I did that when trying to install a pre 6.2.0 package to try to make this switch work) does not includes keyblob at these addresses, it’s just filled with 0. So I tried to replace all these places with keyblob 10 with 0 (exceptingpting the actual keyblob 10 at address 0x180xxx of course). Not much success !

Now I’m out of ideas, and I’m really starting to thing that this prodinfo partition is not the good one, but I have no proof ! From what I’ve seen ( https://switchbrew.org/wiki/Calibration ), there is a sha256 hash, I’ll check on which data it is calculated to check if content is valid …

Wow, It looks like you've tried a lot already. I've always had luck going the Choidujour 5.1 - > ChoidujourNX 9.2 - OFW route. Some of the keys are not console specific and can be taken from another switch or off the internet. Others are console specific. If you need help trying that, let me know.

What I meant about the hanging on the second logo, my switch with a bad prodinfo will boot past the first nintendo logo, but hang on the second one that says Nintendo Switch with the little switch graphic. So it goes Kosmos logo -> Nintendo logo -> Switch logo (hang)

Finally, I'm not sure about keyblob10, but I would imagine it's console specific and couldn't be copied from another switch.

sylver78 · May 12, 2020

@LIY2012
I’ve spend a lot of time on this switch, but I’ve learnt a lot also already (even if the console is still not repaired).

Ok these is a valuable information !

If my switch crash before the switch logo, then it should means that my issue is not (yet ?) about a bad prodinfo partition !

I’ve just checked the sha256 hash of this partition and it’s ok if anyone wants to do it, just check the sha256 hash value stored in partition, it’s 32 (0x20) bytes long starting at offset 0x20.
If anyone want to check by himself one day, here are the steps : Check the length of the data that is at offset 0x08, if you have C0 7F 00 00, then the length is 0x7FC0. then copy all bytes from 0x40 to 0x40+length-1 ( = 0x7FFF in most cases) and put theses bytes in a file. Then compute sha256 hash on this (on my mac I have a sha256sum command line for this) and you should have the save result. If not then you made a mistake or your prodinfo content is faulty !

About the keyblob 10, of course it’s console specific so I’ve took the one from the faulty console and injected it into boot0 before flashing it into it, but the question is why keyblob 10 ? I’ve found many start logs for atmosphere and it seems that the keyblob number used depends on the firmware version ! Every console running 9.2.0 is using keyblob 10 from what I’ve just seen …

Of course I’ve done the 5.1 firmware files/boot flashing before going to 9.2.0 and I had exactly the same behaviour (Nintendo Logo then nothing), I’m really wondering if there is an hardware problem preventing me to boot (even if this switch boots correctly an ubuntu image and Wifi/BT is working correctly).

LIY2012 · May 12, 2020

sylver78 said:
@LIY2012
I’ve spend a lot of time on this switch, but I’ve learnt a lot also already (even if the console is still not repaired).

Ok these is a valuable information !

If my switch crash before the switch logo, then it should means that my issue is not (yet ?) about a bad prodinfo partition !

I’ve just checked the sha256 hash of this partition and it’s ok if anyone wants to do it, just check the sha256 hash value stored in partition, it’s 32 (0x20) bytes long starting at offset 0x20.
If anyone want to check by himself one day, here are the steps : Check the length of the data that is at offset 0x08, if you have C0 7F 00 00, then the length is 0x7FC0. then copy all bytes from 0x40 to 0x40+length-1 ( = 0x7FFF in most cases) and put theses bytes in a file. Then compute sha256 hash on this (on my mac I have a sha256sum command line for this) and you should have the save result. If not then you made a mistake or your prodinfo content is faulty !

About the keyblob 10, of course it’s console specific so I’ve took the one from the faulty console and injected it into boot0 before flashing it into it, but the question is why keyblob 10 ? I’ve found many start logs for atmosphere and it seems that the keyblob number used depends on the firmware version ! Every console running 9.2.0 is using keyblob 10 from what I’ve just seen …

Of course I’ve done the 5.1 firmware files/boot flashing before going to 9.2.0 and I had exactly the same behaviour (Nintendo Logo then nothing), I’m really wondering if there is an hardware problem preventing me to boot (even if this switch boots correctly an ubuntu image and Wifi/BT is working correctly).

If the checksum of the prodinfo is correct, I would guess that its probably good. Also, if you can run linux, I don't think it would be a hardware issue. It sounds like something might be wrong with your firmware files, or your keyblobs. If you want to try the 5.1 route again, PM me and I can try to help you.

sylver78 · May 12, 2020

Thanks a lot !

I’ll try to check everything hardware related by running android on the switch (the ubuntu build was not easy to run an such a small screen). After that I’ll try the 5.1 route again …

There is one thing that I’m not able to find, it is how keyblobs > 5 are generated/checked and so on … Lockpick and linkle are only handling keyblob 0-5, and I can’t find any information about these keys ! Anyway it’s not related to my issue I guess, it’s just curiosity !

ThiagoDaruma · May 15, 2020

Great post, it is a little above my knowledge, but I am rereading a few times to try to understand better.
I think I have a very similar problem, I made a topic asking for help.

I didn't even see the Nintendo logo, just the static black screen.

I still haven't tried to inject the keyblobs in my boot0 because I didn't quite understand how to install linkle, I tried to install rust several times but when trying to install linkle I see many errors. Anyway, I have hopes that I still have a lot to try and work on my Switch.

sylver78 · May 18, 2020

Ok, I managed to make things correctly by going through a howto with all correct material (Windows computer, using memloader payload, ...) and now I see the Nintendo Logo, then the Switch Logo then it is stuck at Switch logo ... I guess that the prodinfo I have is one from another console

(I can't really check as the sticker on the console with serial number is gone). I'll store this console until there is a way to boot a console without a valid prodinfo ... Thanks for your help !

aharjono · Jun 16, 2020

sylver78,

can you help me with keyblob error on my boot0, when running lockpickrcm ?

other than that, my Switch is working fine with SX OS or atmos

I burn 13 fuses, at 10.0.3 now, with sx os 3.0

I opened boot0.bin using HxD, it is empty at 00180000

scandal_uk · Jun 17, 2020

I’m seeing more reports of corrupted keyblobs every day - I wonder what is corrupting the ProdInfo, seems to be affecting SX users mainly?

It’s worth knowing that the SHA is used to verify the overall prodinfo - but each element also needs to have a CRC-16 checksum written to the last two bytes of the next 16-byte offset, otherwise any changes you make will not be valid and will not work.

Hacking Trying to rebuild flash on a bricked switch, issues with keys !

Well-Known Member

Well-Known Member

The inadequate, autocratic beast!

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Member

Not Really There

Similar threads

Popular threads in this forum